By now, pretty much everyone knows or has at least heard about the weakness of WEP (Wired Equivalent Privacy). WEP is the IEEE 802.11 first attempt at providing encryption to wireless networks that was supposedly the same as an unencrypted wired network. Based on the well known RC4 algorithm, WEP was thought to be safe from hackers. But unfortunately while RC4 itself is highly regarded, the implementation contained a fatal flaw that was eventually exploited and tools published to accomplish it. 

What also started, were claims of how easy or how hard it really was to crack a WEP key. On one side you had the “gloom and doomers” saying that a WEP based wireless network could be hacked in a matter of minutes. On the other side you had the “nay sayers” claiming that incredible amounts of data had to be collected and it would take weeks of monitoring to accomplish. Thus started the mad dash to fix WEP, and find other ways to secure wireless networks. 

While there are now several new technologies available to secure WLAN’s such as WPA and 802.11i these new tools won’t work on older devices like many DOS based Data Collection terminals. So that brings up a question: How secure is my D.C network if it’s still running WEP? 

Let’s start by talking a bit about the basics of WEP and what makes it weak. Static WEP comes in two flavors, 64bit and 128bit. When one configures a WEP key on an access point or client device a hex (or sometimes ASCII) string is entered to represent the key.  If we’re using 128 bit WEP, the user entered portion is 26 HEX digits (13 ASCII Characters). If you add up the bits, 26 hex digits is only 104 bits. That’s 24 bits short, where’d they go? The missing 24 bits (3 bytes) are still there. You just can’t see them. These 24 bits are called the Initialization Vector (IV). The IV is automatically generated by the radio and appended to the user portion of the key to make it a full 128 bits. The IV is supposed to be random. But it really isn’t due to the way WEP was implemented. What ended up happening is the IV could become predictable and with a large enough sample could provide enough information to recover the entire key. These predictable values were called “Weak IV’s” and if a hacker could get enough of them, the network could be compromised. The catch is not all WLAN data frames contain Weak IV’s. So lots of data is usually needed in order to get a large enough sample. 

There are a few tools for cracking WEP keys, Airsnort, WEPCrack and Aircrack are just a few. Most tools rely on collecting large amounts of raw wireless data and storing it in a data file. The data file is then fed into a cracking program that looks for the Weak IV’s and processes them. The amount of data needed depends on the tool used. Some could even process raw data on the fly as it was being monitored. 

Raw wireless frames are gathered by taking a WLAN card and placing it in “Monitor Mode”. Normally a radio card (or any ethernet type card) receives raw frames, then looks to see if any are addressed to it, then strips off all the control “stuff” and passes it up the stack to the application. A card in Monitor Mode, receives everything, and passes it straight on without looking at addresses or stripping off the control “stuff”. The control “stuff” is what the cracking programs need to see. 

Programs like Kismet and Airodump are used to collect the raw data. They also are used as wireless “sniffing” systems and will reveal virtually everything about a wireless network short of the actual data. SSIDs’s (even if broadcast SSID is OFF), IP addressing, MAC Addresses are all visible. 

The general rule of thumb is that at least 1,000,000 to 2,000,000 WeakIV’s are needed by Airsnort to crack a key. Aircrack is said to need at least 500,000 to 2,000,000 Weak IV’s. The total number of packets required to get this many Weak IV’s can be very large. Over 15,000,000 packets may be needed. A small network with two Access Points and 10 data Collection terminals may take many weeks to generate that much traffic. But a large WLAN with many laptops users could generate that much traffic in a day or so. 

The sample network I used had 1 access point, 5 VoIP Wireless phones and 5 Data collection terminals. Over the course of 3 days, I was only able to collect 3,500,000 packets with a total of 200,000 Weak IV’s. I didn’t think I had a large enough sample. I was wrong. 

I used Airodump to collect the data and passed the resulting file to Aircrack. The file was a little less than 1GB. I used a 1Ghz Pentium M laptop with 256MB RAM and XP Pro to run the test. 

Aircrack took about 3 minutes to read in the entire file. Once it was read in, I started the cracking process. It cracked the key in 3 SECONDS. Stunned, I ran the crack again. This time it cracked it in 2 SECONDS! So much for needing huge amounts of data. 

Now back to my question: How secure is my data collection network if it’s still running WEP? 

The answer: Not very! We used to think that WEP would be ok for small networks with low volumes. I’ve now shown that this isn’t true. Even small networks are vulnerable with a relatively small amount of data.  If you have a network at home with a lot of wireless traffic, avoid WEP and use WPA with Pre-Shared Key. Most newer consumer grade AP’s support WPA-PSK.